Why ‘buy’ beats ‘build’ when it comes to CDR compliance

Originally published at Fintech Business

With the compliance deadline for Australia’s new Consumer Data Right (CDR) regulations looming, many organisations are assessing the best strategy for building the required technology components.

Under CDR rules, financial institutions must provide customers with greater access and control of their data. The aim is to make it easier for consumers to switch between products and services and to encourage more competition between service providers. For tier one banks and large financial institutions, CDR compliance needs to be in place by July 2020. However, because of the pressures caused by the COVID-19 pandemic, tier two banks and smaller firms have been granted an extension until July 2021.

The challenge of ‘DIY’ Identity platforms

An important technical component of a CDR compliant infrastructure is an effective digital Identity platform. Banks and finance companies need to be able to check the identity of parties before making data available to them while also securely managing data received from other firms. To achieve this, some organisations have opted to take a “DIY” approach and built their own digital Identity platforms. Coding teams have been hard at work creating the required capability with the goal of having it fully operational before the compliance deadline arrives. While this approach can work, it brings with it a range of challenges. These include:

  • Changing rules: CDR compliance is not a set-and-forget item as requirements will continue to change. A digital Identity platform that provides compliance today will likely have to be altered in the months ahead. This can put additional ongoing pressure on in-house security teams.

  • Differing levels of compliance: Financial institutions initially need to achieve compliance as a data holder. This allows them to securely share customer data with other service providers. Institutions can also become compliant as a data recipient, which allows them to receive consumer data. However, this level requires more complex Identity capabilities and some smaller institutions may not have the internal resources required to achieve it.

  • Development costs: Building a compliant digital Identity platform in-house is likely to be a complex and expensive exercise. Tasking an internal team with the job is likely to require the reallocation of funds from other projects.

  • Testing requirements: As with any new platform, rigorous testing will be required to ensure the digital Identity component performs as required. The need for such testing, and any resulting changes, could delay achievement of compliance by weeks or months.

  • Lost knowledge: When code is created in-house, the associated knowledge remains with the people completing the work. If and when those staff leave, that knowledge is lost, which makes maintaining and updating the code very challenging. Ongoing changes to CDR regulations will make changes necessary and this must be considered from the outset.

The benefits of a dedicated Identity platform

A more effective way to achieve reliable identity and authentication within a CDR-compliant environment is to deploy a dedicated platform designed from the outset with data security in mind.

Taking this approach means that rather than tying internal security teams up with writing code and testing, those resources can be dedicated to projects that add more business value. You wouldn’t consider building your own web server or coding a web browser, for example, as using off-the-shelf components proven to do the job is a far better approach.

Identity platforms provide the ability to get the needed requirements in place quickly and without a lot of custom development. Your organisation can make use of a platform aligned to the requirements of CDR and Australia’s open banking regulations with minimal customisation.

A suitable Identity platform can also be used to connect other applications across an organisation. Mobile and web-based banking services, for example, can take advantage of the provided capabilities and offer features such as two-factor authentication to customers.

When weighing up the DIY versus purchase question for an Identity platform, the three key points to consider are:

  • Recognise where value lies within your organisation and therefore where internal resources should be focused. It’s probably not building your own Identity system.

  • Understand that continuous change is a part of business life and that new opportunities will constantly appear. Having a robust platform in place that can support new initiatives will be important.

  • Avoid building yet another technology silo that needs to be managed and maintained. A dedicated Identity platform can support business operations across multiple applications and services.

By taking this approach, finance institutions will not only achieve CDR and open banking compliance, but will also position themselves to take advantage of new revenue streams as they appear. Rather than being a technical burden on operations, an Identity platform can be a catalyst for future growth.